Can I fake Drive Used/Free space Value?

Discussion in 'privacy problems' started by aklies14, Jul 23, 2012.

Thread Status:
Not open for further replies.
  1. aklies14

    aklies14 Registered Member

    Joined:
    Jun 22, 2012
    Posts:
    29
    Location:
    America
    My external Hard drive(1TB usable 930GB) has 2 partitions of 465 GB each and each partition is filled with data upto 460GB,only 5GB free space left in each partition.

    I want to know is there any way I can make these partitions appear as empty(or let say 1GB used and rest free)WITHOUT CORRUPTING THE DATA when I check partition properties in Windows OS on any system(so no hack to windows,I need something at hard drive level).I know user can still go inside the partition and select all folders to check their size,don't worry about that.I am not concerned about that.All I want is to fool Windows OS of any system to display fake used and free space value(any value I wish) on checking partition properties without corrupting the data.Is this Possible?
     
  2. Pinga

    Pinga Registered Member

    Joined:
    Aug 31, 2006
    Posts:
    1,420
    Location:
    Europe
    Why would you want to do that?
     
  3. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    When i opened the thread i was asking to myself the same question. :rolleyes:
     
    Last edited: Jul 25, 2012
  4. aklies14

    aklies14 Registered Member

    Joined:
    Jun 22, 2012
    Posts:
    29
    Location:
    America
    As an Extra level of protection of my encrypted TC data file for the rainy day.when someone scans my drive and finds it to be empty then there is a good chance that investigator wouldn't look further and will assume that there is no data(I plan to hide my data file inside a system folder +h +s).Because if he finds out my encrypted data file then he can/will beat the **** out of me and I would have to give up ALL passwords(beating is ok in my country).

    And no I don't have any illegal files,I just want my private data to remain mine till the day I die and my country has no 4th,5th or 6th amendment thing like US and beating works just fine. TC should include someway to destroy data if a particular password is used.I know we can have container backup before but still can work in many cases.

    PS:If you guys have any other suggestion about what I want to achieve then please let me know.
     
    Last edited: Jul 25, 2012
  5. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Why not just use hidden volumes? "here's the password ossifer, open'er up".

    PD
     
  6. aklies14

    aklies14 Registered Member

    Joined:
    Jun 22, 2012
    Posts:
    29
    Location:
    America
    I am already doing that and it will buy me some time only.when someone looks into the outer volume data and sees only 3GB used on a 500GB container file then it won't take them long to realize that a Hidden volume is being used and they will come back with truth serum :D

    In my country forensic investigation is not that sophisticated like US and those idiots even cant figure out by themselves if a file is a TC Container or not but by common sense can easily assume that if a drive partition is almost full then there is definitely hidden data somewhere, and here comes the truth serum again :(

    That's why I want to fake drive used/free space,or if you guys have any other idea,then please do share.
     
  7. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Woah, do you really need that much secrecy? :D
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    "Not that we needed all that [secrecy], but once you get locked into a serious...collection, the tendency is to push it as far as you can." ;)
     
  9. aklies14

    aklies14 Registered Member

    Joined:
    Jun 22, 2012
    Posts:
    29
    Location:
    America
    thanks for understanding :shy:

    I guess anything even remotely close to this is not possible,I should look for some other solution.
     
  10. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    That's a very dangerous assumption, and the nature of your initial question shows that you are relatively unskilled in this arena. I recommend caution and a reassessment of risks.
     
  11. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    This is not serious.
    Choosing an effective anti-forensic solution means first that you are aware about computer forensic sciences limits...
    Then it is easy to play with volumes and disk space, but it is not serious to think that is enough to fool investigation process neither the forensic tools/programs.
    In a proper way, the evidence gathering is done in an image of the orginal disk, not on the suspected disk (to not alter data and for law impact).
    Maybe some investigators in some countries are not as armored as the FBI/NSA forensic services, but anyone of them know the ABC of forensic liveCD (offline system file analysis)...
    And i will not guive here any kind of ethic opinion about what is suspect or not, and certainly not discuss about the equation "nothing to hide=nothing to fear" http://falkvinge.net/2012/07/19/debunking-the-dangerous-nothing-to-hide-nothing-to-fear/

    For anyone who has something very risky to hide, i suggest the Cosa Nostra method: take an helicopter trip to an active volcano (the Vesuvius is a good choice in Europe) and just throw the disk in the heart of the volcano...
    Then you can be sure that even the N S A will not find any kind of digital evidence on it...
     
  12. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    If your disk is encrypted, the investigators cannot tell how much disk space is being used in the first place.
     
  13. redcell

    redcell Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    126
    I categorize computers with Full Disk Encryption (FDE) into 3 tiers:-

    Tier 1: Deceptive pre-boot error message + optional token + decoy OS + destruction password + hidden partition destroyer mechanism (self-invented). Your attacker has almost zero chance of peeping into your real OS.
    Tier 2: Deceptive pre-boot error message + optional token + decoy OS
    Tier 3: Deceptive pre-boot error message + optional token

    Truecrypt is a tier 2.5. Its decoy OS structure is known among trained computer forensics or those in the FDE arena. That's the bad thing about Truecrypt.

    I'm using a Tier 1 FDE but won't reveal which software. Even if I do, the execution of this software is extremely complicated and time-consuming.
     
  14. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi

    When using full disk encryption, it appears totally lapsed to set up fake volume space.
    It is true that encryption is one of/the most effective anti-forensic measure.There is an excellent research paper about this subject available for free on some sites...
    This requires for the investigator not only skills, but almost various resources (material, time, money, relations...).
    And there is much more powerful and hardened encryption solutions than the one mentioned by Redcell (the N S A for instance is known to use a specific Man in the Middle encryption device).
    Full disk encryption softwares have their weaknesses, implementation algorithms must be robust, stored key area, MBR address, with or without external authentification factor ...
    And more over, consider that some commercial encryption solutions include a backdoor, and some companies, especially in USA, Germany, Israel collaborates with national security agencies.
    If we consider the case of effective security agencies from USA or Israel, then we could expect various possibilities to gain access to the digital evidences.

    First goal: find this ~ Snipped as per TOS ~ decryption key with or without physical access to the machine.

    Remotely with a government trojan (CIPAV or any custom another one) or a commercial one like the Hacking Team RAT/RCS ( http://www.hackingteam.it/index.php/remote-control-system ), using various spy features (keystroke, video screen recording or screenshot capturing), or with the DPI and the collaboration of the ISP.
    More reliable and effective is the physical access after the information and intelligence gathering phase, the agency knows every aspect of the suspect life, then
    use an hardware keylogger combined with a software keylogger, a custom bootkit (see Peter Kleissner research), hidden cameras that could zoom on the keyboard and screen... and under certain circonstances and with a little chance, cold boot and evil maid attacks can be tried, but are unfortunatelly rarelly successful...

    At distance, a few meters from the suspect house/flat, in a CarLab or neighbored room lab, using vision scoppes ( http://www.nightvisionmall.com/page/NVM/CTGY/LAWMIL/ ) recording, TEMPEST (electromagnetic emanation) or keyboard acoustic emanation.
    At last resorts before hard methods, social engineering can be used with a Bimbo (Zahia and Ruby are famous in Europe) Matahari (the pretty Anna Chapman http://vault.fbi.gov/ghost-stories-russian-foreign-intelligence-service-illegals/videos )...
    And off course there is much more persuasive methods with ( http://en.wikipedia.org/wiki/Key_disclosure_law ) or without thew law, in democratic (http://falkvinge.net/2012/07/12/in-...or-encryption-but-for-astronomical-noise-too/ ) or citizen oppressed countries!
    These famous images are a summary http://imgs.xkcd.com/comics/security.png
    As a freedom fighter in Russia like the ***** riots or as child pornography distributor like Emilio Luna in USA ( http://www.fbi.gov/wanted/cyber/emilio-luna/view ), it s up to anyone to choose his Sonny Curtis song version: the Clash one (¨i fought the law and the law won¨) or the Dead Kennedys version (¨i fought the law and i won¨)...

    rgds
     
    Last edited by a moderator: Aug 19, 2012
  15. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    Some people keep secret data on an external hard disk that is fully encrypted. To make plausible deniability, keep 3 or more disks. One disk is full device encrypted using Truecrypt and contains your secret stuff. The second is wiped using DBAN random data and the third is your unencrypted decoy that is full of files that you use but are not sensitive.
    When your adversary asks what is on the disks with random data, you say they are spares that you haven't used yet. The guy you bought them from erased them using DBAN.
    This form of PD still has problems. Like TC, you have encryption software installed on your computer so it implies you have encrypted data somewhere and then there is the OS which may (probably does) keep some evidence of your mounted volume.
     
Loading...
Thread Status:
Not open for further replies.